Has the cross-site scripting vulnerability been addressed in the RoboHelp 10 version
To the best of my knowledge it was addressed in Rh9. Rh10 has an HTML5 output option that does not use frames.
However, if security is a concern, then only a security expert can give you the assurance you require.
Personally I have yet to hear of webhelp being used maliciously but that does not mean it hasn't happened.
See www.grainge.org for RoboHelp and Authoring tips
I'm not sure v9 addressed it, my audit team just found some cross-site scripting issues in a robohelp-produced file. If RB10 and 11 have HTML5 and alleviates this concern, that might be a good way to go.